[Openstack-security] [Bug 1369870] Re: The cookies for messages, django_timezone, horizon_pagesize, and horizon_language are not marked as "secure"
Julie Pichon
1369870 at bugs.launchpad.net
Mon Sep 29 07:54:32 UTC 2014
It may be worth considering for the "messages" cookie?
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1369870
Title:
The cookies for messages, django_timezone,horizon_pagesize, and
horizon_language are not marked as "secure"
Status in OpenStack Dashboard (Horizon):
New
Bug description:
Affected URL: https://Ip_address/settings/
Affected Entity: messages, django_timezone, horizon_pagesize, and horizon_language
Risk: It may be possible to steal user and session information (cookies) that was sent during an encrypted session
Causes: The web application sends non-secure cookies over SSL
Recommend Fix: Add the 'Secure' attribute to all sensitive cookies
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1369870/+subscriptions
More information about the Openstack-security
mailing list